CVE-2019-13132
published 2019-07-10CVE-2019-13132: In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
42.46%
98.5th percentile
In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | zeromq3 | < zeromq3 4.3.1-5 (bookworm) | zeromq3 4.3.1-5 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| zeromq | libzmq | < 4.0.9 | 4.0.9 |
| zeromq | libzmq | >= 4.1.0 < 4.1.7 | 4.1.7 |
| zeromq | libzmq | >= 4.2.0 < 4.3.2 | 4.3.2 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0xFF 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x01 0x00
bytes↗
0x02 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
- →Detect exploit attempts by monitoring for ZMTP v2 frames with msg_size set to 0xFFFFFFFFFFFFFFFF (all-0xFF 8-byte size field) immediately following a 0x02 flag byte, indicating an integer overflow attempt in v2_decoder_t::size_ready(). ↗
- →Detect the malformed ZMTP greeting: a 12-byte sequence starting with 0xFF followed by 8 zero bytes, then 0x01 0x01 0x00, which selects ZMTP_2_0 and triggers the vulnerable code path on servers with CURVE encryption/authentication enabled. ↗
- →The exploit overwrites the zmq::msg_t::content_t struct (fields: data, size, ffn function pointer, hint) located immediately after the receive buffer. Monitor for crashes or unexpected function pointer calls in libzmq processes after receiving oversized ZMTP v2 messages. ↗
- →The vulnerability is exploitable only on libzmq sockets with CURVE encryption/authentication enabled. Audit deployments for public-facing ZMQ sockets using CURVE and prioritize patching to libzmq >= 4.0.9, >= 4.1.7, or >= 4.3.2. ↗
- →The exploit sends exactly 8183 bytes of padding payload after the oversized msg_size to reach the content_t struct boundary. Network signatures should look for TCP streams to ZMQ ports containing a v2 frame with 0xFF*8 size followed by ~8183 bytes of data. ↗
- ·The exploit requires knowledge of target process memory addresses (e.g., strcpy, system, .data section) to achieve code execution; ASLR significantly raises the bar unless a separate information-disclosure vulnerability is present. ↗
- ·The vulnerability is only triggerable on libzmq servers with CURVE encryption/authentication enabled; servers without CURVE are not affected by this specific attack vector. ↗
- ·The overflow does not corrupt dlmalloc metadata (bk/fd pointers) and would not trigger AddressSanitizer, making heap-based detection tools ineffective for catching this exploit in flight. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
ZeroMQ vulnerabilities
vendor_ubuntu·2022-06-15·CVSS 9.8
CVE-2020-15166 [CRITICAL] ZeroMQ vulnerabilities
Title: ZeroMQ vulnerabilities
Summary: Several security issues were fixed in ZeroMQ.
It was discovered that ZeroMQ incorrectly handled certain application
metadata. A remote attacker could use this issue to cause ZeroMQ to crash,
or possibly execute arbitrary code. (CVE-2019-13132)
It was discovered that ZeroMQ mishandled certain network traffic. An
unauthenticated attacker could use this vulnerability to cause a denial-of-
service and prevent legitimate clients from communicating with ZeroMQ.
(CVE-2020-15166)
It was discovered that ZeroMQ did not properly manage memory under certain
circumstances. If a user or automated system were tricked into connecting
to one or multiple compromised servers, a remote attacker could use this
issue to cause a denial of service. (CVE-2021-20234)
It w
Red Hat
zeromq: stack-overflow on any server protected by encryption/authentication
vendor_redhat·2019-07-15·CVSS 9.8
CVE-2019-13132 [CRITICAL] CWE-121 zeromq: stack-overflow on any server protected by encryption/authentication
zeromq: stack-overflow on any server protected by encryption/authentication
In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.
Package: zeromq3 (Red Hat Ceph Storage 2) - Not affected
Ubuntu
ZeroMQ vulnerability
vendor_ubuntu·2019-07-08
CVE-2019-13132 ZeroMQ vulnerability
Title: ZeroMQ vulnerability
Summary: ZeroMQ could be made to crash or run programs if it received specially crafted
network traffic.
It was discovered that ZeroMQ incorrectly handled certain application metadata.
A remote attacker could use this issue to cause ZeroMQ to crash, or possibly
execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2019-13132: zeromq3 - In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a rem...
vendor_debian·2019·CVSS 9.8
CVE-2019-13132 [CRITICAL] CVE-2019-13132: zeromq3 - In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a rem...
In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.
Scope: local
bookworm: resolved (fixed in 4.3.1-5)
bullseye: resolved (fixed in 4.3.1-5)
forky: resolved (fixed in 4.3.1-5)
sid: resolved (fixed in 4.3.1-5)
trixie: resolved (fixed in 4.3.1-5)
OSV
zeromq3 vulnerabilities
osv·2022-06-15·CVSS 9.8
CVE-2019-13132 [CRITICAL] zeromq3 vulnerabilities
zeromq3 vulnerabilities
It was discovered that ZeroMQ incorrectly handled certain application
metadata. A remote attacker could use this issue to cause ZeroMQ to crash,
or possibly execute arbitrary code. (CVE-2019-13132)
It was discovered that ZeroMQ mishandled certain network traffic. An
unauthenticated attacker could use this vulnerability to cause a denial-of-
service and prevent legitimate clients from communicating with ZeroMQ.
(CVE-2020-15166)
It was discovered that ZeroMQ did not properly manage memory under certain
circumstances. If a user or automated system were tricked into connecting
to one or multiple compromised servers, a remote attacker could use this
issue to cause a denial of service. (CVE-2021-20234)
It was discovered that ZeroMQ incorrectly handled memory when proc
GHSA
GHSA-pf98-hx9m-qj7w: In ZeroMQ libzmq before 4
ghsa_unreviewed·2022-05-24
CVE-2019-13132 [CRITICAL] CWE-787 GHSA-pf98-hx9m-qj7w: In ZeroMQ libzmq before 4
In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.
OSV
CVE-2019-13132: In ZeroMQ libzmq before 4
osv·2019-07-10·CVSS 9.8
CVE-2019-13132 [CRITICAL] CVE-2019-13132: In ZeroMQ libzmq before 4
In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.
No detection rules found.
No public exploits indexed.
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
HackerOne
CVE-2019-13132 - libzmq 4.1 series is vulnerable
hackerone·2019-11-18·CVSS 9.8
CVE-2019-13132 [CRITICAL] CVE-2019-13132 - libzmq 4.1 series is vulnerable
CVE-2019-13132 - libzmq 4.1 series is vulnerable
## Summary:
A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).
## Releases Affected:
Monero (allocator.data () + allocator.size ())))) {
This is inadequate because a very large msg_size_ will overflo
Bugzilla
CVE-2019-13132 zeromq: stack-overflow on any server protected by encryption/authentication [fedora-all]
bugzilla·2019-07-15·CVSS 9.8
CVE-2019-13132 [CRITICAL] CVE-2019-13132 zeromq: stack-overflow on any server protected by encryption/authentication [fedora-all]
CVE-2019-13132 zeromq: stack-overflow on any server protected by encryption/authentication [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects m
Bugzilla
CVE-2019-13132 zeromq: stack-overflow on any server protected by encryption/authentication [epel-all]
bugzilla·2019-07-15·CVSS 9.8
CVE-2019-13132 [CRITICAL] CVE-2019-13132 zeromq: stack-overflow on any server protected by encryption/authentication [epel-all]
CVE-2019-13132 zeromq: stack-overflow on any server protected by encryption/authentication [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multi
Bugzilla
CVE-2019-13132 zeromq: stack-overflow on any server protected by encryption/authentication [openstack-rdo]
bugzilla·2019-07-15·CVSS 9.8
CVE-2019-13132 [CRITICAL] CVE-2019-13132 zeromq: stack-overflow on any server protected by encryption/authentication [openstack-rdo]
CVE-2019-13132 zeromq: stack-overflow on any server protected by encryption/authentication [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Fix is
Bugzilla
CVE-2019-13132 zeromq: stack-overflow on any server protected by encryption/authentication
bugzilla·2019-07-04·CVSS 9.8
CVE-2019-13132 [CRITICAL] CVE-2019-13132 zeromq: stack-overflow on any server protected by encryption/authentication
CVE-2019-13132 zeromq: stack-overflow on any server protected by encryption/authentication
A vulnerability was discovered in ZeroMQ through 4.0.0 onwards which allows any unauthenticated client to cause a stack overflow on any server that is supposed to be protected by encryption/authentication. Arbitrary data sent by the client will overwrite the stack, so although the reporter didn't provide a specific exploit, it is entirely possible that a crafty attacker could take advantage of this vulnerability to do more than "just" crash the server.
Discussion:
Created zeromq tracking bugs for this issue:
Affects: fedora-all [bug 1729830]
---
Created zeromq tracking bugs for this issue:
Affects: epel-all [bug 1729831]
---
Reference:
https://github.com/zeromq/libzmq/issues/3558
---
Exter
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00033.htmlhttp://www.openwall.com/lists/oss-security/2019/07/08/6http://www.securityfocus.com/bid/109284https://fangpenlin.com/posts/2024/04/07/how-i-discovered-a-9-point-8-critical-security-vulnerability-in-zeromq-with-mostly-pure-luck/https://github.com/zeromq/libzmq/issues/3558https://github.com/zeromq/libzmq/releaseshttps://lists.debian.org/debian-lts-announce/2019/07/msg00007.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVCTNUEOFFZUNJOXFCYCF3C6Y6NDILI3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MK7SJYDJ7MMRRRPCUN3SCSE7YK6ZSHVS/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6HINI24SL7CU6XIJWUOSGTZWEFOOL7X/https://news.ycombinator.com/item?id=39970716https://seclists.org/bugtraq/2019/Jul/13https://security.gentoo.org/glsa/201908-17https://usn.ubuntu.com/4050-1/https://www.debian.org/security/2019/dsa-4477http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00033.htmlhttp://www.openwall.com/lists/oss-security/2019/07/08/6http://www.securityfocus.com/bid/109284https://fangpenlin.com/posts/2024/04/07/how-i-discovered-a-9-point-8-critical-security-vulnerability-in-zeromq-with-mostly-pure-luck/https://github.com/zeromq/libzmq/issues/3558https://github.com/zeromq/libzmq/releaseshttps://lists.debian.org/debian-lts-announce/2019/07/msg00007.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVCTNUEOFFZUNJOXFCYCF3C6Y6NDILI3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MK7SJYDJ7MMRRRPCUN3SCSE7YK6ZSHVS/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T6HINI24SL7CU6XIJWUOSGTZWEFOOL7X/https://news.ycombinator.com/item?id=39970716https://seclists.org/bugtraq/2019/Jul/13https://security.gentoo.org/glsa/201908-17https://usn.ubuntu.com/4050-1/https://www.debian.org/security/2019/dsa-4477
2019-07-10
Published